IETF Logo Mail Archive

Re: [DNSOP] nsec3-parameters opinions gathered

Michael Bauland <Michael.Bauland@knipp.de> Mon, 29 November 2021 12:54 UTC

Return-Path: <Michael.Bauland@knipp.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D92203A093B for <dnsop@ietfa.amsl.com>; Mon, 29 Nov 2021 04:54:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.751
X-Spam-Level:
X-Spam-Status: No, score=-3.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-1.852, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F_cotGvYn-ZQ for <dnsop@ietfa.amsl.com>; Mon, 29 Nov 2021 04:54:16 -0800 (PST)
Received: from kmx5a.knipp.de (kmx5a.knipp.de [195.253.6.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28D603A091E for <dnsop@ietf.org>; Mon, 29 Nov 2021 04:54:15 -0800 (PST)
Received: from hp9000.do.knipp.de (hp9000.do.knipp.de [195.253.2.54]) by kmx5a.knipp.de (Postfix) with ESMTP id 4J2lfY0Fznz4vDh for <dnsop@ietf.org>; Mon, 29 Nov 2021 13:54:11 +0100 (CET)
Received: from [IPV6:2a01:5b0:0:25::69] (unknown [IPv6:2a01:5b0:0:25::69]) by hp9000.do.knipp.de (Postfix) with ESMTP id B4A03722E6 for <dnsop@ietf.org>; Mon, 29 Nov 2021 13:54:11 +0100 (MEZ)
Message-ID: <df0717a9-fb4f-2412-7c4e-10f6213494d9@knipp.de>
Date: Mon, 29 Nov 2021 13:55:21 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.3.2
Content-Language: en-GB
To: dnsop@ietf.org
References: <ybl7ddnr16f.fsf@w7.hardakers.net> <206e17b4-a920-8e3e-586d-ecc29855fae3@nic.cz> <45a10ca4-93e1-3c9c-7434-83c387d5246e@NLnetLabs.nl> <4254eece-a024-dbe4-3a64-a7ff957ce945@pletterpet.nl> <ec14099d-adfe-09ae-a06c-80cc2a1cf793@isc.org> <7AB6BFF3-4AD8-4D08-8C0D-F4A5904AC277@dukhovni.org>
From: Michael Bauland <Michael.Bauland@knipp.de>
In-Reply-To: <7AB6BFF3-4AD8-4D08-8C0D-F4A5904AC277@dukhovni.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Spamd-Bar: /
X-Rspamd-Queue-Id: 4J2lfY0Fznz4vDh
X-Spamd-Result: default: False [0.00 / 15.00]; ASN(0.00)[asn:8391, ipnet:195.253.0.0/16, country:DE]; LOCAL_WL_IP(0.00)[195.253.2.54]
Authentication-Results: kmx5a.knipp.de; none
X-Rspamd-Pre-Result: action=no action; module=multimap; Matched map: LOCAL_WL_IP
X-Rspamd-Server: v1117
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/E-stoaR3hK_2L-fQIddq_JjZ6Wo>
Subject: Re: [DNSOP] nsec3-parameters opinions gathered
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Nov 2021 12:54:21 -0000

Hi Viktor, hi all,

thanks for making us aware of the NSEC3 iteration count topic.


On 08.11.2021 18:29, Viktor Dukhovni wrote:
>> On 8 Nov 2021, at 6:07 am, Petr Špaček <pspacek@isc.org> wrote:
>>
>> TL;DR
>> I say we should go for 0 and acknowledge in the text we are not there yet.
> 
> This means reaching out to the TLD operators again...  They were quite
> cooperative ~6 months back, but I wouldn't want to take them for granted
> and keep asking for multiple further rounds of changes.  So whatever target
> ends up in the final document should be something they'd be willing to adopt
> as a final "issue closed" update.
> 
> The iteration count distribution for the TLDs is presently:
> 
>   # TLDs NSEC3 iterations
>   ------ ----------------
>      147 0
>      458 1
>        1 2
>       14 3
>      112 5
>        4 8
>      545 10
>       29 12
>        1 13
>        1 15
>        1 17
>        6 20
>        2 25
> 
> The outliers above 10 are:
> 
>      ccTLDs: bn de dk pl sg ua xn--clchc0ea0b2g2a9gcd xn--yfro4i67o
> 
>      gTLDs: alstom barcelona bauhaus bcn cat erni eurovision eus firmdale gal gdn
>             gmx ifm lacaixa madrid man mango nrw quebec radio ruhr sap scot seat
>             sport swiss whoswho xn--55qw42g xn--80asehdb xn--80aswg xn--mgbab2bd
>             xn--zfr164b

We see your argument and have now adjusted our configurations 
accordingly. All TLDs run by CORE Association and Knipp (i.e., almost 
all from the gTLDs list above) have now reduced their NSEC3 iteration 
count to 0.

Best regards,

Michael

-- 
____________________________________________________________________
      |       |
      | knipp |            Knipp  Medien und Kommunikation GmbH
       -------                    Technologiepark
                                  Martin-Schmeisser-Weg 9
                                  44227 Dortmund
                                  Germany

      Dipl.-Informatiker          Fon:    +49 231 9703-0
                                  Fax:    +49 231 9703-200
      Dr. Michael Bauland         SIP:    Michael.Bauland@knipp.de
      Software Development        E-mail: Michael.Bauland@knipp.de

                                  Register Court:
                                  Amtsgericht Dortmund, HRB 13728

                                  Chief Executive Officers:
                                  Dietmar Knipp, Elmar Knipp

v2.23.0 | Report a Bug | By Email